Towards Industrial Security Through Real-Time Analytics

Towards Industrial Security Through Real-time Analytics

Prajjwal Dangal Gedare Bloom Department of Computer Science Department of Computer Science University of Colorado Colorado Springs University of Colorado Colorado Springs Colorado Springs, CO, USA Colorado Springs, CO, USA 0000-0001-7835-3867 0000-0002-5677-7092

Abstract—Industrial control system (ICS) denotes a system Status: On Uptime: 99.67% Sector 1 Sector 2 consisting of actuators, control stations, and network that man- HMI Panel On Off ages processes and functions in an industrial setting. The ICS community faces two major problems to keep pace with the Bridge broader trends of Industry 4.0: (1) a data rich, information poor

(DRIP) syndrome, and (2) risk of ﬁnancial and safety harms due Controller Network to security breaches. In this paper, we propose a private cloud in the loop ICS architecture for real-time analytics that can bridge Microcontroller 1 Microcontroller 2 ... Microcontroller n the gap between low data utilization and security hardening. Index Terms—industrial, real-time, security .

I.INTRODUCTION Security of an ICS deals with the protection and resiliency OSPC of the underlying devices while making sure their services PLC 1 PLC 2 PLC n meet timing constraints. The timing constraints manifest in terms of high availability as well as real-time requirements, i.e., the necessity for these devices to perform tasks such as Fig. 1: An ICS architecture for real-time analytics. issuing control commands within a bounded amount of time. ICS security is a critical issue as demonstrated by attacks such as Stuxnet or the German Mill Attack [1]. The financial cost Real-time analytics can further enhance the arsenal of ICS of such attacks can individually reach from millions to billions operators to defend the infrastructure against attacks as well of dollars. as zero day vulnerabilities. Although ICS attack surfaces are extremely broad, we focus We propose embedding an On Site Private Cloud (OSPC) on the aspect of attack detection at the Programmable Logic within an ICS architecture to create a real-time plant data pro- Controller (PLC) interconnect network specifically, relying on cessing pipeline, as also shown in Figure 1. The figure shows real-time analytics. PLCs are used widely in ICSs to relay a typical ICS architecture consisting of a HMI connected to commands and automate functions. In an attack scenario, real- the controller network connected to a layer of PLCs as well time analytics of the network traffic could reduce the time to as the OSPC. Finally, the PLCs are connected to motors and threat discovery and mitigation. sensors, which are also known as Process Connected Devices (PCD) and are the first point of telemetry data in an ICS. II.APPROACH &BACKGROUND The PCD-PLC connection features real-time communication We take real-time analytics to mean the streaming of data requirements, and the protocols employed are called Class C. from a (plant) process through an algorithm to an output within The connection between the HMI and the Bridge does not a bounded time. As seen in Figure 1, that output may be have real-time requirements and the protocols used in that part presented to a Human Machine Interface (HMI) for an operator of the architecture are called class A protocols [2]. Table I to observe, or relayed to another, potentially non real-time data shows the response time of common ICS protocols [3]. Class processing pipeline, or even used to further the automation of C protocols have the lowest response times (latency), followed the subject plant device. Historically, real-time analytics in ICS by class B while class A protocols are not time sensitive. have been popular for prognostics and health management. In our approach, we choose Open Powerlink protocol in Standard IT security practices like strong passwords and conjunction with OSPC in order to create a real-time analytics certificates for authentication, and closing of unnecessary ports based Intrusion Detection System (IDS). We believe an OSPC and services to reduce the attack surface also apply to ICSs. cloud-in-the-loop approach is superior for this application [4] This work is supported by NSF OAC-2001789 because of its geographical proximity with the control system MAC Header Ethernet Payload CRC MAC Destination MAC Source Ether Type 0x88AB

Ethernet Frame

POWERLINK Header Powerlink Payload Message Type POWERLINK Dest POWERLINK Source

POWERLINK Frame Fig. 2: Standard POWERLINK frame in an Ethernet frame devices. Cloud-in-the-loop entails embedding cloud computing curity [11], and Switched Ethernet [12]. In particular, the IEEE into a (control) loop with real-time guarantees. 802.1 AE standard outlines a set of integrity-related services Open Powerlink is the open sourced implementation of the including frame loss, frame ordering, and frame duplication, Ethernet Powerlink protocol, which has both a hard and a soft although we have observed that not all implementations adhere real-time protocol. Powerlink’s schedule is periodic TDMA to the standard, especially the EtherCAT protocol [2]. with three phases: (i) Start of Cyclic (SoC) frame phase IV. CONCLUSION on which all nodes are synchronized, (ii) isochronous phase when messages with hard real-time deadline are transmitted, Real-time analytics addressing integrity attacks on real-time and (iii) asynchronous phase when non-time-critical messages ICS networks is a nascent field with room for experimentation are transmitted. Precision Time Protocol (PTP) is used for and innovation. We have described our work-in-progress to synchronization. Figure 2 shows the standard Powerlink frame. explore this field. Our prototype setup currently consists of hardware viz. REFERENCES Raspberry Pi 2, TP-Link Ethernet Switch, a workstation that has a CPU with four execution units each at 3.10 GHz [1] K. E. Hemsley, E. Fisher et al., “History of industrial control system cyber incidents,” Idaho National Lab.(INL), Idaho Falls, ID (United and a 8 GB RAM. The software consists of Ubuntu 14 States), Tech. Rep., 2018. based lightweight Linaro OS, Open Powerlink network stack, [2] E. D. Knapp and J. T. Langill, Industrial Network Security: Securing tcpdump. We will subject our setup to attacks such as rogue critical infrastructure networks for smart grid, SCADA, and other Industrial Control Systems. Syngress, 2014. frame insertion, electromagnetic interference, and timing syn- [3] “The best ethernet protocol for your plc: 5 fieldbuses compared for chronization attacks. We plan to evaluate and experiment with industry 4.0,” 2015-2016. [Online]. Available: https://www.automation. defense techniques such as IDS [5], cryptography, and logging. com/pdf articles/kingstar/Best Ethernet Protocol for Your PLC.pdf [4] G. Bloom, B. Alsulami, E. Nwafor, and I. C. Bertolotti, “Design patterns Currently, we are experimenting with inserting the relatively for the industrial internet of things,” in 2018 14th IEEE International more powerful workstation into the network of the Pis to Workshop on Factory Communication Systems (WFCS). IEEE, 2018, monitor network traffic with Wireshark, which supports Open pp. 1–10. [5] C. Young, J. Zambreno, H. Olufowobi, and G. Bloom, “Survey of Powerlink. automotive controller area network intrusion detection systems,” IEEE Design & Test, vol. 36, no. 6, pp. 48–55, 2019. Protocol Class Response time [6] J. Lee, H. D. Ardakani, S. Yang, and B. Bagheri, “Industrial big data Profinet IRT C < 1 ms analytics and cyber-physical systems for future maintenance & service Profinet RT B < 10 ms innovation,” Procedia Cirp, vol. 38, pp. 3–7, 2015. Powerlink B < 1 ms [7] M. H. ur Rehman, E. Ahmed, I. Yaqoob, I. A. T. Hashem, M. Imran, EtherCAT C 0.1 ms and S. Ahmad, “Big data analytics in industrial iot using a concentric Sercos-III C < 0.5 ms computing model,” IEEE Communications Magazine, vol. 56, no. 2, pp. CC-Link IE C 1 ms 37–43, 2018. [8] J. W. Williams, K. S. Aggour, J. Interrante, J. McHugh, and E. Pool, TABLE I: Response times of common ICS protocols “Bridging high velocity and high volume industrial big data through distributed in-memory storage & analytics,” in 2014 IEEE International Conference on Big Data (Big Data). IEEE, 2014, pp. 932–941. III.RELATED WORK [9] H. Olufowobi, C. Young, J. Zambreno, and G. Bloom, “Saiducant: Closely related work in this field tackles this issue as an Specification-based automotive intrusion detection using controller area network (can) timing,” IEEE Transactions on Vehicular Technology, extension of big data analysis or in the context of defining 2019. protocol standards. [10] G. M. Garner, “Timing and synchronization for time-sensitive applica- Lee et al. [6] and Rehman et al. [7] use big data analytics in tions in bridged local area networks-draft v. 1.0,” The Interworking Task Group of IEEE, vol. 802, 2007. an industrial architecture similar to Figure 1. Williams et al. [11] “Ieee standard for local and metropolitan area networks-media access [8] deal with high volume and low latency (high velocity) and control (mac) security,” IEEE Std 802.1AE-2018 (Revision of IEEE Std outline benchmark analytics. Olufowobi et al. [9] developed a 802.1AE-2006), pp. 1–239, 2018. [12] I. E. Commission et al., “Iec 61784-1,” Digital data communications real-time based IDS in the automotive domain that identifies for measurement and control-Part, vol. 1. attacks as violations of response times. Three relevant standards to our work are Time Sensitive Networking (TSN) [10], OSI data link layer’s mac sublayer se-